Is "escapeshellarg" safe enough?

About

Asked 26/5, 2014 at 9:17 Answered 26/5, 2014 at 10:7

Solved php security exec youtube-dl

Scenario:

user enters video url
php downloads video with exec( "youtube-dl " . escapeshellarg($url) );

Question:

Is it safe enough?

Thanks!

Code answered 26/5, 2014 at 9:17 Comment(0)

escapeshellarg prevents the shell from misinterpreting your command-line, so you're safe there. However, you're still passing in user input to youtube-dl. While this is not a security risk, it will fail in certain cases. You want to add -- to make sure that the user's input is a URL and not an option:

exec( "youtube-dl -- " . escapeshellarg($url) );

This will also fix problems where the "URL" starts with a dash. For example, -8F4YF_pH-4 is a valid YouTube video ID.

Hiles answered 26/5, 2014 at 10:7 Comment(0)

Yes it's is safe enough. You can check it's working.

escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. This function should be used to escape individual arguments to shell functions coming from user input.

$arg = 'test\'test';
echo escapeshellarg($arg);

It will show 'test'\''test' as output . so you can't trick it.

Jamiejamieson answered 26/5, 2014 at 9:58 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags